I'm trying to help a client pass a PCI scan, and we're down to one fail but I'm not sure how to address it. The site is on an active SSL for both admin and customer facing. This is the PCI flag we're getting:

Non-Secure Session Cookies Identified
The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.

I've disputed this stating that we're definitely on an SSL for the client's domain only, and they're asking the following:

Thank you for providing that information. Can your organization confirm that organization can confirm that "PHPSESSID" and "default" are not session cookies but rather tracking cookies that have nothing to do with authentication to this system?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

OC v3.0.2.0 has been rebuilt regarding its engine and startup configuration files and even the 3.1.0.0a (alpha) release. If you run a PCI scan on those versions, can you confirm the same results?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.